A system comprises one or more storage entities (SEs) each configured to store data for applications that rely on higher levels of data integrity, wherein each of the SEs has its own cryptographic identity in the form of a unique root identity key pair of public and private keys created at manufacturing time. Each SE generates one or more SE-specific asymmetric data owner keys upon invocation of a smart contract by a prospective data owner. The system further comprises a distributed ledger provisioned to the SEs and configured to maintain all public keys and/or public key certificates of the SEs. The system also comprises a key manager configured to hold all SE-specific data owner public keys and SE data access control keys, wherein the data stored on the SEs is protected by the SE-specific data access control keys wrapped by the SE-specific data owner keys based on current data ownership.